100 lines
2.9 KiB
Bash
Executable File
100 lines
2.9 KiB
Bash
Executable File
#!/bin/bash
|
|
set -euo pipefail
|
|
|
|
# ============================================================
|
|
# Jefflix VPN Cutover Script
|
|
# Removes public access to *.jefflix.lol
|
|
# Run ONLY after setup.sh and testing VPN access works
|
|
# ============================================================
|
|
|
|
echo "========================================"
|
|
echo " Jefflix Public Access Cutover"
|
|
echo "========================================"
|
|
echo ""
|
|
|
|
# Pre-flight check: verify VPN access works
|
|
TAILSCALE_IP=$(tailscale ip -4 2>/dev/null || echo "")
|
|
if [ -z "$TAILSCALE_IP" ]; then
|
|
echo "ERROR: Tailscale not running on this server. Run setup.sh first."
|
|
exit 1
|
|
fi
|
|
|
|
echo "Server Tailscale IP: $TAILSCALE_IP"
|
|
echo ""
|
|
|
|
# Check DNS works
|
|
DIG_RESULT=$(dig +short @${TAILSCALE_IP} movies.jefflix.lol 2>/dev/null || echo "FAILED")
|
|
if [ "$DIG_RESULT" != "$TAILSCALE_IP" ]; then
|
|
echo "ERROR: CoreDNS not resolving correctly. Got: $DIG_RESULT (expected $TAILSCALE_IP)"
|
|
echo "Fix CoreDNS before proceeding."
|
|
exit 1
|
|
fi
|
|
echo "✓ CoreDNS resolving correctly"
|
|
|
|
echo ""
|
|
echo "This will REMOVE public access to all *.jefflix.lol services."
|
|
echo "Users will need Tailscale connected to vpn.jeffemmett.com to access Jefflix."
|
|
echo ""
|
|
read -p "Continue? [y/N] " -n 1 -r
|
|
echo ""
|
|
|
|
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
|
|
echo "Aborted."
|
|
exit 0
|
|
fi
|
|
|
|
# --- Remove jefflix entries from Cloudflare tunnel ---
|
|
echo ""
|
|
echo "[Cutover] Removing *.jefflix.lol from Cloudflare tunnel..."
|
|
|
|
TUNNEL_CONFIG="/root/cloudflared/config.yml"
|
|
|
|
# Backup current config (timestamped)
|
|
cp "$TUNNEL_CONFIG" "${TUNNEL_CONFIG}.pre-cutover-$(date +%Y%m%d-%H%M%S)"
|
|
|
|
# Remove all jefflix.lol hostname entries (hostname + service lines)
|
|
# This removes the "- hostname: *.jefflix.lol" and its " service:" line
|
|
python3 -c "
|
|
import yaml, sys
|
|
|
|
with open('$TUNNEL_CONFIG', 'r') as f:
|
|
config = yaml.safe_load(f)
|
|
|
|
original_count = len(config.get('ingress', []))
|
|
|
|
# Filter out jefflix.lol entries
|
|
config['ingress'] = [
|
|
entry for entry in config.get('ingress', [])
|
|
if not (isinstance(entry.get('hostname', ''), str) and 'jefflix.lol' in entry.get('hostname', ''))
|
|
]
|
|
|
|
removed = original_count - len(config['ingress'])
|
|
|
|
with open('$TUNNEL_CONFIG', 'w') as f:
|
|
yaml.dump(config, f, default_flow_style=False, sort_keys=False)
|
|
|
|
print(f' Removed {removed} jefflix.lol entries from tunnel config')
|
|
"
|
|
|
|
# Restart cloudflared
|
|
echo " Restarting cloudflared..."
|
|
docker restart cloudflared
|
|
echo " ✓ Cloudflared restarted"
|
|
|
|
# Wait and verify
|
|
sleep 5
|
|
echo ""
|
|
echo "========================================"
|
|
echo " Cutover Complete"
|
|
echo "========================================"
|
|
echo ""
|
|
echo "Public access to *.jefflix.lol is now REMOVED."
|
|
echo ""
|
|
echo "Verify from a non-VPN device:"
|
|
echo " curl -I https://movies.jefflix.lol (should fail/404)"
|
|
echo ""
|
|
echo "Verify from a VPN device:"
|
|
echo " curl http://movies.jefflix.lol (should work)"
|
|
echo ""
|
|
echo "To ROLLBACK: run rollback.sh"
|